On 19/08/2011, at 4:59 PM, jan.we...@t-systems.com wrote:
>> Hi, >> >> I have a little problem with devices in multiple huntgroups. >> By now i kno that this is not possible (rtfm helped ;-) >> >> What i wanted to do is the following: >> >> Two Teams, but with diffenrent rights. >> >> Users: >> ==================== >> DEFAULT Auth-Type := LDAP, Huntgroup-Name == "nexus", LDAP-Group == >> "<Team-1-Group>" >> Login-Service = Telnet, >> Cisco-AVPair = "shell:roles*\"network-admin\" \"vdc-admin\"" >> >> DEFAULT Auth-Type := LDAP, Huntgroup-Name == "readonly-nexus", LDAP-Group == >> "<Team-2-Group>" >> Login-Service = Telnet, >> Cisco-AVPair = "shell:roles*\"network-operator\" \"vdc-operator\"" >> >> Huntgroups: >> ==================== >> readonly-nexus NAS-IP-Address == 192.168.11.123 >> Nexus NAS-IP-Address == 192.168.11.123 >> >> >> Since only the first match within the huntgroups is checked, team-2 always >> gets "access-reject". >> >> >> For checking only the NAS-IP-Adress makes sense in our environment. >> I already found a hint to use rlm-passwd, but i can?t get this run. >> >> So i tried the following: >> >> ======================= >> Users: >> DEFAULT Auth-Type := LDAP, Huntgroup-Name == "nexus", My-Device-Group >> "Nexus-readonly", LDAP-Group == "<Team-2-Group>" >> Login-Service = Telnet, >> Cisco-AVPair = "shell:roles*\"network-operator\" \"vdc-operator\"" >> >> modules/passwd: >> passwd Groups_local { >> filename = /etc/raddb/groups_local >> format = "My-Device-Group:*NAS-IP-Address" >> hashsize = 50 >> ignorenislike = no >> allowmultiplekeys = no >> delimiter = ":" >> } >> >> groups_local: >> Nexus-readonly:192.168.11.123 >> >> dictionary: >> ATTRIBUTE My-Device-Group 3000 string >> >> ======================= >> >> Groups_local was placed in authorize section, after preprocess. >> >> Debug shows: >> >> Ready to process requests. >> rad_recv: Access-Request packet from host 192.168.11.123 port 48910, id=20, >> length=62 >> User-Name = "test" >> User-Password = "test" >> NAS-Port-Type = Virtual >> NAS-Port = 3000 >> NAS-IP-Address = 192.168.11.123 >> +- entering group authorize {...} >> ++[preprocess] returns ok >> ++[groups_local] returns notfound >> >> Any Idea? >> Or is there a big bug in my config (and my mind)? >> Thanks! >> >> Jan > > Does nobody has an idea what i´m doing wrong? > Or any idea how i could realize this? > > Thanks a lot! > > Jan > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html DEFAULT. Huntgroup-Name == "nexus",LDAP-Group == "nexus_RO" ... DEFAULT. Huntgroup-Name == "nexus",LDAP-Group == "nexus_RW" ... Add your users to groups to suit. While devices can only be in one group, users can be in many. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html